High Threat Security Alert (A20-04-04): Multiple Vulnerabilities in Oracle Java and Oracle Products (April 2020)
15 April 2020
Last update on:
04 May 2020
Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.
There are 15 vulnerabilities identified in Java affecting multiple sub-components including Advanced Management Console, Concurrency, JSSE, JavaFX, Libraries, Lightweight HTTP Server, Scripting, Security and Serialization.
For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, MySQL Protocol, MySQL Workbench, Memcached Protocol, MLD, OracleNet or T3.
There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a local authenticated attacker could log on the infrastructure of the affected systems to exploit the vulnerabilities. A remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.
The vendor has received reports of exploitation attempts against recently patched vulnerabilities in Oracle products, including the remote code execution vulnerability (CVE-2020-2883) in Oracle WebLogic Server. Reports also indicated that proof-of-concept code is publicly available. Users are advised to take immediate action to apply the April 2020 Critical Patch Update to your affected systems to mitigate the elevated risk of cyber attacks. For systems hosted at outsourced platforms, system owners should confirm with the web hosting service providers that the relevant patch has been applied.
Oracle Java SE
Oracle Linux and Virtualization
Oracle MySQL Product Suite
Oracle and Sun Systems Products Suite
Fusion Applications and Middleware
A complete list of the affected products can be found at: